The 3rd Party Audit Went Away. The Obligation Didn't.
CMMC Phase II is suspended. DFARS 252.204-7012 is not. Here's a calm, complete walk through everything that still binds a defense contractor today — because we'd rather you hear it from us than find out the hard way.
Since July 13, one reaction has swept through the small-contractor community faster than any other:
"Great — CMMC is dead. I can stop." ---> NO!!!
We understand where it comes from. If you've spent two years bracing for a third-party assessment you couldn't schedule and maybe couldn't afford, the suspension of Phase II reads like the whole program collapsing. Half the headlines encouraged that reading.
But that reading is wrong, and it's the kind of wrong that costs contracts.
The Department of War suspended a verification mechanism — the third-party audit that would have checked your work. It did not suspend the obligation the audit was checking. Your legal and contractual duties to protect federal data on July 12 are, almost line for line, your duties today.
This article is the plain-English inventory of what still binds you. It isn't a scare piece, and it isn't a legal opinion — it's the correction almost nobody else in this market is publishing. Read it once now, and you'll be immune to the most expensive misunderstanding of 2026.
The Split That Matters: Suspended vs. Still Firmly In Place
Before anything else, put the announcement in two columns. Everything in this article flows from this split.
❌ Suspended
- The Phase II transition — scheduled for November 10, 2026
- Third-party C3PAO assessments as a condition of contract award
- Phase III (Nov. 2027) and DIBCAC-led Level 3 assessments
- Pending and future CMMC implementation milestones across DoW solicitations and contracts
✅ Still Firmly In Place
- Phase I self-assessment requirements — in the Department's own words, these "remain firmly in place"
- DFARS 252.204-7012 — the contract clause obligating you to safeguard covered defense information
- NIST SP 800-171 Rev 2 — the standard the Department will enforce during the interim
- Select government-led assessments — the Department explicitly retained the right to check
- Your prime's flow-down requirements — nothing in the announcement amends your subcontract
- False Claims Act accountability for the accuracy of what you attest
Notice which column is longer. The suspension removed one thing — the third party — and left the entire legal architecture underneath it standing. Let's walk through that right-hand column, one item at a time.
DFARS 252.204-7012: The Clause That Was Never a CMMC Artifact
If you take one thing from this article, take this: DFARS 252.204-7012 is not part of CMMC. It doesn't come from CMMC, it doesn't depend on CMMC, and it doesn't pause when CMMC pauses.
The clause has been in defense contracts since before CMMC existed — its current safeguarding requirements took full effect at the end of 2017, roughly two years before CMMC was even announced. If it's in your contract (and if you handle covered defense information, it is), it obligates you to three things in plain terms:
What DFARS 7012 actually requires
- Safeguard covered defense information by providing "adequate security" on any system that processes, stores, or transmits it — and "adequate security" is defined, at minimum, as implementing NIST SP 800-171.
- Report cyber incidents rapidly — discovery of a cyber incident affecting covered defense information triggers a rapid-report obligation to the Department (within 72 hours), along with preservation and cooperation duties.
- Flow the clause down to your own subcontractors who will handle covered defense information — which is exactly why your prime holds you to it, too.
Here's the part that makes this the anchor of everything: 7012 survives every possible outcome of the 60-day review. If CMMC comes back streamlined, 7012 stands. If CMMC is replaced with something new, 7012 stands. If CMMC is cancelled outright — which officials did not rule out — 7012 still stands, because it was never a CMMC requirement in the first place. CMMC was invented to verify compliance with the obligations 7012 created.
The audit was the thermometer. 7012 is the fever. Throwing out the thermometer doesn't change your temperature.
Phase I Self-Assessments: "Remain Firmly In Place" — Their Words, Not Ours
The second item in the standing column comes straight from the Department's own announcement: Phase I self-assessment requirements "remain firmly in place."
Phase I — in effect since November 2025 — requires self-assessments under both CMMC Level 1 and Level 2, where the contract requires them. In practice, that means:
- Completing an honest self-assessment against the applicable practices — all 15 at Level 1, the full NIST SP 800-171 set at Level 2.
- Posting your results to SPRS, the Supplier Performance Risk System, where contracting officers and primes can see them.
- Making an annual affirmation — a named company official affirming, on the record, that your assessment is accurate and your posture is what you say it is.
None of that was suspended. If a solicitation or your existing contract carries a Phase I self-assessment requirement, that requirement was exactly as binding on July 14 as it was on July 12. The contractor who lets their SPRS score lapse or skips this year's affirmation because "CMMC is paused" isn't taking advantage of the suspension — they're quietly falling out of compliance with a requirement the Department went out of its way to say still applies.
💡 A 10-minute check worth doing this week
Pull your active DoD contracts and your prime flow-downs, and search for 252.204-7012, 252.204-7019/7020, and any CMMC self-assessment language. Your obligations are whatever your contracts say they are — not whatever the headlines imply. If you're not sure how to read what you find, that's exactly what our free consultation is for.
The Point Most Contractors Haven't Thought Through: Your Prime
Here's the one that catches even well-informed subcontractors off guard.
The Department of War's announcement changed the Department's own rollout schedule. It did not — and cannot — amend the private contract between you and your prime.
Your prime's flow-down requirements are contractual obligations between two companies. If your subcontract requires a current SPRS score, a completed self-assessment, an annual affirmation, or evidence of NIST SP 800-171 implementation, those terms are still in force until your prime changes them. And primes, whose own contracts still carry DFARS 7012 and who remain responsible for their supply chains, have every incentive to keep gating work on compliance.
In fact, many primes are likely to lean harder on supplier attestations during the interim, precisely because the third-party checkpoint is gone. When the government isn't sending an assessor, your prime's assurance about its supply chain rests entirely on what its subs can document.
Practical translation: the fastest way to find out the suspension didn't apply to you is to show up to your next teaming conversation without a current self-assessment. The contractor across the table who has one wins.
The False Claims Act Point — Stated Calmly
We're not going to fear-monger here, because this point doesn't need it. It just needs to be said clearly.
When you post a score to SPRS and affirm your compliance annually, you are making a representation to the federal government. The False Claims Act has always applied to the accuracy of those representations — the Department of Justice has pursued cybersecurity-related cases under its Civil Cyber-Fraud Initiative since 2021, well before Phase II was ever scheduled.
Nothing about July 13 changed that. The suspension removed the third-party audit; it did not remove your accountability for what you attest. Attesting to a security posture you don't actually have has always been the real risk — with or without CMMC.
The good news: the protection against that risk is the same as it has always been, and it's entirely within your control. An honest assessment, a score you can defend, and evidence behind every answer. Not a spreadsheet of optimistic yes's — documentation that shows your controls actually run.
Is your current SPRS posture something you'd stand behind?
Our free CMMC Assessment Tool evaluates all 15 Level 1 practices and gives you an instant gap analysis with a prioritized remediation roadmap. No credit card, no obligation. Results in under 30 minutes — and you'll know exactly where your affirmation stands.
Run the Free Assessment →Three Words to Keep in Mind: "Select Government-Led Assessments"
One more line from the announcement deserves a mention, even though we'll give it full treatment later in this series.
The Department said it will enforce NIST SP 800-171 during the interim through self-assessments and "select government-led assessments." The third party is gone; the government's right to look is not.
⚠️ If you're selected, your documentation is the only thing in the room
In a government-led assessment there's no consultant beside you and no C3PAO walking you through your binder. What you've documented — policies, procedures, evidence, and a self-assessment that matches reality — is the entire case. In that sense, the bar for evidence quality just went up, not down. We'll unpack what "select" likely means and how to prepare in Part 4 of this series.
Putting It Together: What "I Can Stop" Actually Gets Wrong
| The belief | The reality |
|---|---|
| "CMMC is dead, so the requirements are gone." | Phase II — the third-party audit — is suspended. Phase I self-assessments, DFARS 7012, and NIST SP 800-171 remain in force. The Task Force reports in ~60 days; nothing is settled. |
| "Nobody's checking anymore." | You are — via self-assessment and annual affirmation. Your prime is — via flow-downs. And the government retained select government-led assessments. |
| "My SPRS score doesn't matter now." | Contracting officers and primes still see it, still use it, and Phase I still requires it where your contract does. |
| "There's no risk in letting things slide." | Your affirmation is a representation to the government, and False Claims Act accountability for its accuracy predates the suspension and survives it. |
| "I'll wait for September and see." | Your obligations under DFARS 7012 apply today — and they apply in every one of the review's possible outcomes, including full cancellation of CMMC. |
The Reframe: What Actually Changed on July 13
What changed is who checks your work.
The obligation to protect federal data didn't move an inch. The paid third-party assessor left the picture — and the person now responsible for verifying your compliance is you, with the government reserving the right to look over your shoulder.
That's not a loophole. It's a transfer of responsibility — from a scheduled audit you could prepare for, to a standing expectation you have to be able to meet on any given day. For contractors who treat it that way, it's genuinely good news: the expensive, capacity-constrained part of compliance is off the table, and what remains is the part a small business was always capable of doing well.
Doing it well means the same thing it meant before the suspension: a self-assessment you could hand to a skeptical stranger. Every practice addressed. Every answer backed by an artifact. A score you'd affirm under your own name without hesitation.
That's not busywork. Under Phase I, it's the requirement. Under DFARS 7012, it's the obligation. Under your prime's flow-downs, it's the price of admission. And in a government-led assessment, it's the whole defense.
If You'd Rather Not Figure This Out Alone
This is exactly the work our packages were built for — turning "prove you protect federal data" from an abstract obligation into a finite, defined checklist.
The Turnkey CMMC Level 1 Package breaks all 15 Level 1 practices into 142 defined artifacts, with platform-specific templates for Microsoft 365 or Google Workspace, all 8 device & network configuration guides, an Evidence Locker, and your SPRS documentation — packaged, organized, and date-stamped. Eight bi-weekly expert consulting sessions keep you moving, and most clients complete their Level 1 assessment in 2–4 weeks.
If you handle CUI, remember that Phase I kept Level 2 self-assessment live as well. Our L2 CUI Enclave Package maps all 110 practices to 182 defined artifacts for a dedicated CUI enclave on Google Workspace for Government or Microsoft 365 GCC High — pre-filled SSP, POAM framework, Risk Register, and evidence checklist, with no Active Directory, no SIEM, and no enterprise IT required. We provide the templates, configuration guides, and consulting; you implement, with our support.
⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope.
The Bottom Line
The suspension of Phase II removed the audit. It did not remove a single obligation. DFARS 252.204-7012 predates CMMC and survives it. Phase I self-assessments and annual affirmations remain firmly in place — the Department said so in the same breath as the suspension. Your prime's flow-downs are untouched. Your accountability for what you attest is untouched.
The contractors who understand this will spend the next 60 days finishing a defensible self-assessment while their competitors stand still. The ones who don't will find out — from a prime, a contracting officer, or a government-led assessment — that "I thought we could stop" has never been an accepted answer in federal contracting.
We'd rather you be in the first group. That's why we wrote this.
Let's talk through what your contracts actually require now.
Book a free 30-minute consultation. We'll walk through your DFARS clauses, your prime's flow-downs, and where your self-assessment and evidence stand today — in plain English, sized for a business like yours. No pressure, no six-figure quotes.
Book a Free 30-Minute Consultation → Start with the Free AssessmentSources & Further Reading
- U.S. Department of War — "Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements" (July 13, 2026)
- DefenseScoop — "DOD halts cybersecurity requirements for CMMC Phase 2" (July 13, 2026)
- National Defense Magazine — "BREAKING: Pentagon Suspends Phase 2 of CMMC Program" (July 13, 2026)
- U.S. Small Business Administration — statement on the CMMC Phase II suspension (July 13, 2026)
- NIST SP 800-171 Rev. 2 — Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
This article is provided for informational purposes only and does not constitute legal advice. Contractors should review their specific contract terms, DFARS clauses, and flow-down requirements with qualified counsel.
